---
title: "Provision Users"
description: "Automatically authenticate your SaaS users to your Activepieces instance"
icon: 'user'
---

<Snippet file="enterprise-feature.mdx" />

## Overview

In Activepieces, there are **Projects** and **Users**. Each project is provisioned with their corresponding workspace, project, or team in your SaaS. The users are then mapped to the respective users in Activepieces.

To achieve this, the backend will generate a signed token that contains all the necessary information to automatically create a user and project. If the user or project already exists, it will skip the creation and log in the user directly.

<Steps>
  <Step title="Step 1: Obtain Signing Key">
    You can generate a signing key by going to **Platform Settings -> Signing Keys -> Generate Signing Key**.

    This will generate a public and private key pair. The public key will be used by Activepieces to verify the signature of the JWT tokens you send. The private key will be used by you to sign the JWT tokens.

    <Warning>
      Please store your private key in a safe place, as it will not be stored in Activepieces.
    </Warning>
  </Step>

  <Step title="Step 2: Generate a JWT">
    The signing key will be used to generate JWT tokens for the currently logged-in user on your website, which will then be sent to the Activepieces Iframe as a query parameter to authenticate the user.

    To generate these tokens, you will need to add code in your backend to generate the token using the RS256 algorithm, so the JWT header would look like this:

    <Tip>
      To obtain the `SIGNING_KEY_ID`, refer to the signing key table and locate the value in the first column.
    </Tip>

    ```json
    {
      "alg": "RS256",
      "typ": "JWT",
      "kid": "SIGNING_KEY_ID"
    }
    ```

    The signed tokens must include these claims in the payload:

    ```json
    {
      "externalUserId": "user_id",
      "externalProjectId": "user_project_id",
      "firstName": "John",
      "lastName": "Doe",
      "email": "john@example.com",
      "role": "EDITOR",
      "pieces": {
        "filterType": "NONE"
      },
      "exp": 1856563200
    }
    ```

    | Claim             | Description                                     |
    |-------------------|-------------------------------------------------|
    | externalUserId    | Unique identification of the user in **your** software |
    | externalProjectId | Unique identification of the user's project in **your** software |
    | firstName         | First name of the user                           |
    | lastName          | Last name of the user                            |
    | email             | Email address of the user                        |
    | role              | Role of the user in the Activepieces project (e.g., **EDITOR**, **VIEWER**)           |
    | exp               | Expiry timestamp for the token (Unix timestamp)  |
    | pieces            | Customize project pieces, check the section below  |

    You can use any JWT library to generate the token. Here is an example using the jsonwebtoken library in Node.js:

    <Tip>
      You can also use this [tool](https://dinochiesa.github.io/jwt/) to generate a quick example.
    </Tip>

    ```javascript Node.js
    const jwt = require('jsonwebtoken');

    // JWT NumericDates specified in seconds:
    const currentTime = Math.floor(Date.now() / 1000);
    let token = jwt.sign(
      {
        externalUserId: "user_id",
        externalProjectId: "user_project_id",
        firstName: "John",
        lastName: "Doe",
        role: "EDITOR",
        email: "john@example.com",
        pieces: {
          filterType: "NONE"
        },
        exp: currentTime + (24 * 60 * 60), // 1 day from now
      },
      process.env.ACTIVEPIECES_SIGNING_KEY,
      {
        algorithm: "RS256",
        header: {
          kid: signingKeyID, // Include the "kid" in the header
        },
      }
    );
    ```

    Once you have generated the token, please check the embedding docs to know how to embed the token in the iframe.
  </Step>
</Steps>
